CCPA Compliance Checklist: What Your Website Needs in 2026

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), is the most significant privacy law in the United States. If your business interacts with California residents, there is a good chance it applies to you.

Unlike GDPR, which applies to almost every website that collects personal data from EU visitors, CCPA has specific thresholds. Not every business is covered. But if you are, the requirements are serious and the penalties are real.

This guide explains who CCPA applies to, what it requires, and gives you a step-by-step checklist to get your website compliant.

Who Does CCPA Apply To

CCPA applies to for-profit businesses that collect personal information from California residents and meet at least one of these thresholds:

• Annual gross revenue exceeds $25 million. This is the most commonly cited threshold. If your business makes more than $25 million per year, CCPA applies regardless of how much data you collect.
• You buy, sell, or share the personal information of 100,000 or more California residents, households, or devices per year. This threshold is easier to hit than most businesses realize. If your website gets significant California traffic and uses analytics or advertising cookies, you may be processing data from 100,000 or more California residents.
• You derive 50% or more of your annual revenue from selling or sharing California residents' personal information. This primarily applies to data brokers and advertising-focused businesses.

A few important notes. CCPA applies based on where your customers or visitors are, not where your business is located. A company in Texas that serves California customers is covered. CCPA also applies to personal information collected online and offline.

Under CPRA amendments, there is also now a dedicated enforcement agency - the California Privacy Protection Agency (CPPA) - which has been actively issuing regulations and enforcement actions since 2023.

What Counts as Personal Information Under CCPA

CCPA defines personal information broadly. It includes:

• Names, email addresses, phone numbers, and mailing addresses
• IP addresses and online identifiers
• Browsing history and search history
• Geolocation data
• Commercial information like purchase history
• Biometric information
• Professional or employment information
• Education information
• Inferences drawn from any of the above to create a consumer profile

If your website collects any of this - and almost every website collects at least IP addresses and browsing data through analytics tools - it falls within CCPA's scope.

CCPA vs GDPR: Key Differences

If you are already familiar with GDPR, it helps to understand where CCPA is different. For a detailed look at GDPR requirements, see our GDPR compliance checklist.

Opt-out vs opt-in. GDPR generally requires opt-in consent before collecting data. CCPA allows data collection by default but gives consumers the right to opt out of the sale or sharing of their data. This is a fundamental difference in approach.

Scope. GDPR applies to any organization processing EU residents' data. CCPA applies only to for-profit businesses meeting the revenue or data thresholds above.

Sensitive data. Under CPRA, consumers have the right to limit the use of sensitive personal information. This includes Social Security numbers, financial account details, precise geolocation, racial or ethnic origin, and religious beliefs.

Private right of action. CCPA gives consumers a limited private right of action in data breach cases. GDPR allows individuals to seek compensation for any violation.

Penalties. CCPA penalties are up to $2,500 per unintentional violation and $7,500 per intentional violation. These are per-violation penalties, which means they can add up quickly across thousands of affected consumers.

The CCPA Compliance Checklist

Here are the steps your business and website need to take. Work through them in order.

Step 1: Determine If CCPA Applies to Your Business

Review the thresholds above. If you meet any one of them, CCPA applies. If you are close to a threshold, plan for compliance now - you do not want to cross a threshold and scramble to catch up.

Even if you do not meet the thresholds today, understanding CCPA is worthwhile. Several other states have passed similar laws (Colorado, Connecticut, Virginia, Oregon, Texas, and others), and a federal privacy law remains under discussion in Congress.

Step 2: Map Your Data Collection

Document what personal information you collect from California residents, where it comes from, how it is used, and who it is shared with. This data map is the foundation of your compliance program.

Include:

• Website forms (contact, signup, checkout)
• Cookies and tracking technologies
• Analytics tools
• Advertising pixels
• CRM and email marketing platforms
• Payment processors
• Any other tool or service that processes personal information

Step 3: Update Your Privacy Policy

CCPA requires specific disclosures in your privacy policy. Your policy must include:

• The categories of personal information you collect
• The purposes for which each category is used
• The categories of third parties with whom you share personal information
• Whether you sell or share personal information (and if so, which categories)
• The consumer rights provided by CCPA (see below)
• How consumers can submit requests to exercise their rights
• The categories of personal information you have sold or shared in the past 12 months (or a statement that you have not)

Update your privacy policy at least once every 12 months. CCPA specifically requires annual updates.

Step 4: Add a "Do Not Sell or Share My Personal Information" Link

This is one of the most recognizable CCPA requirements. If your business sells or shares personal information - and "sharing" under CPRA includes making data available to third parties for cross-context behavioral advertising - you must provide a clear link on your website titled "Do Not Sell or Share My Personal Information."

This link must be on your homepage and must lead to a page or mechanism where consumers can opt out.

Important: Under CPRA, "sharing" personal information for targeted advertising counts, even if no money changes hands. If you use advertising cookies or pixels from Google, Meta, or other ad networks, you are likely "sharing" personal information under this definition.

Check your CCPA compliance with a free website scan.

Step 5: Implement an Opt-Out Mechanism

When a consumer clicks your "Do Not Sell or Share" link, they must be able to opt out without creating an account, verifying their identity, or jumping through unnecessary hoops.

You also need to honor Global Privacy Control (GPC) signals. GPC is a browser-level signal that tells websites the user wants to opt out of the sale and sharing of their personal information. As of 2026, honoring GPC is a legal requirement under CCPA. If a visitor's browser sends a GPC signal, your website must treat it as a valid opt-out request.

Step 6: Handle Consumer Rights Requests

CCPA gives California residents several rights:

Right to know. Consumers can ask what personal information you have collected about them, where it came from, how it is used, and who it has been shared with.

Right to delete. Consumers can ask you to delete their personal information, with some exceptions (like data needed to complete a transaction or comply with legal obligations).

Right to correct. Consumers can ask you to correct inaccurate personal information.

Right to opt out. Consumers can opt out of the sale or sharing of their personal information.

Right to limit use of sensitive personal information. Consumers can direct you to use sensitive personal information only for specified purposes.

Right to non-discrimination. You cannot deny services, charge different prices, or provide a different quality of service to consumers who exercise their rights.

You must provide at least two methods for consumers to submit requests. A toll-free phone number and a web form or email address are the most common combination. You must respond to requests within 45 days.

Step 7: Verify Consumer Identities for Requests

When you receive a request to know, delete, or correct personal information, you must verify the consumer's identity before fulfilling it. The level of verification should match the sensitivity of the request.

For a request to know categories of data (lower sensitivity), you might verify using two data points. For a request to delete (higher sensitivity), you might verify using three data points. Document your verification procedures.

Step 8: Train Your Team

Anyone who handles consumer inquiries or manages personal information needs to understand CCPA requirements. This includes customer service staff, marketing team members, and IT personnel.

Training should cover:

• What consumer rights exist under CCPA
• How to recognize a CCPA request
• Where to direct requests for processing
• Timelines for response
• What constitutes discrimination against consumers who exercise their rights

Step 9: Review Service Provider Contracts

CCPA distinguishes between service providers (who process data on your behalf) and third parties (who process data for their own purposes). Your contracts with service providers must include specific CCPA provisions:

• The business purpose for the data sharing
• A prohibition on the service provider selling the personal information
• A requirement to comply with CCPA
• A commitment to maintain appropriate security

Review your existing contracts with hosting providers, analytics tools, email platforms, payment processors, and any other service that processes personal information from your customers.

Step 10: Implement a "Limit the Use of My Sensitive Personal Information" Link

If you collect sensitive personal information - which includes Social Security numbers, financial account details, precise geolocation, racial or ethnic origin, religious beliefs, contents of private communications, genetic data, biometric data, health data, and data about sex life or sexual orientation - you must provide a link allowing consumers to limit how this data is used.

Many small business websites do not collect most of these categories. But if you collect precise geolocation data or financial information, this requirement applies.

Step 11: Check Your Cookie and Tracking Practices

Under CPRA, sharing personal information with third parties for cross-context behavioral advertising is treated as "sharing" and triggers the opt-out requirements. This means:

• If you use Google Analytics with advertising features enabled, you may be sharing personal information.
• If you use Meta Pixel (Facebook Pixel), you are almost certainly sharing personal information.
• If you use retargeting or programmatic advertising, you are sharing personal information.

For each advertising or analytics tool on your website, determine whether it constitutes selling or sharing under CCPA. If it does, it must be covered by your opt-out mechanism. If you also have EU visitors, remember that GDPR has different (and generally stricter) cookie requirements. See our post on GDPR and US websites for more on how these laws interact.

Step 12: Set Up Notice at Collection

CCPA requires that you provide notice to consumers at or before the point of collection. This notice must include:

• The categories of personal information being collected
• The purposes for which each category will be used
• Whether the information is sold or shared
• How long each category will be retained (or the criteria for determining the retention period)

This is separate from your privacy policy. It applies at the point where data is actually collected - your website forms, cookie banners, and signup pages.

Step 13: Handle Minors' Data Correctly

CCPA has specific rules for consumers under 16. If you know that a consumer is under 16, you cannot sell or share their personal information without affirmative consent.

For consumers aged 13 to 15, the minor themselves must opt in. For consumers under 13, a parent or guardian must consent.

If your website is directed at children or if you have actual knowledge that minors use your site, you must implement appropriate age-verification and consent mechanisms.

Step 14: Maintain Records

Keep records of consumer requests and how you responded to them for at least 24 months. If your business processes the personal information of 10 million or more consumers annually, you must also compile metrics about the requests you received and publish them in your privacy policy.

For smaller businesses, the 24-month record-keeping requirement still applies. Document every request, your verification steps, your response, and the outcome.

Step 15: Monitor for Updates and New Regulations

CCPA enforcement is evolving. The CPPA continues to issue new regulations and enforcement guidance. Recent rulemaking has addressed automated decision-making, cybersecurity audits, and risk assessments.

Stay current with:

• CPPA rulemaking announcements
• Enforcement actions and settlements
• Updates to the CCPA regulations (California Code of Regulations, Title 11, Division 6)
• New state privacy laws that may apply to your business

Penalties for Non-Compliance

CCPA penalties are enforced by the California Attorney General and the CPPA:

• Up to $2,500 per unintentional violation. This is per violation, per consumer. A single compliance failure affecting 10,000 consumers could result in $25 million in penalties.
• Up to $7,500 per intentional violation. The same per-violation math applies. Intentional violations include ignoring opt-out requests or failing to honor GPC signals after being notified.
• Private right of action for data breaches. Consumers can sue for statutory damages of $100 to $750 per consumer per incident if their personal information is breached due to a failure to implement reasonable security measures.

The CPPA has been active in enforcement since it began operations. Fines have been issued against companies of all sizes.

Quick-Start Priority List

If you are just starting on CCPA compliance, here is where to focus first:

Immediate priorities:

• Update your privacy policy (Step 3)
• Add the "Do Not Sell or Share" link (Step 4)
• Honor GPC signals (Step 5)
• Review your tracking and advertising tools (Step 11)

Next priorities:

• Set up consumer request handling (Steps 6 and 7)
• Add notice at collection (Step 12)
• Review service provider contracts (Step 9)

Then complete:

• Data mapping (Step 2)
• Team training (Step 8)
• Sensitive data handling (Step 10)
• Minors' data (Step 13)
• Record-keeping (Step 14)

Run a Free Compliance Scan

CCPA compliance involves many moving parts. It is easy to miss something, especially if your website uses multiple third-party tools and tracking scripts.

Run a free compliance scan on your website with Scanibly. The scan checks your privacy policy, cookie practices, opt-out mechanisms, and other key CCPA indicators. You get a clear report showing what is in place and what needs attention, so you know exactly where to start.